Your iPhone calendar isn’t private—at least if you use the LinkedIn app

Researchers have found that the LinkedIn iPhone app transmits all manner of data from your iPhone's calendar to LinkedIn's servers, and without notifying the user, either.

Today's not a good day to be a LinkedIn user—doubly so if you use LinkedIn's iPhone or Android app. Researchers have discovered that the app scrapes users' calendar items and sends the data back up to its servers, even when those calendar items were created outside of the LinkedIn app. The scraped data includes participant lists, subjects of entries, times of meetings, and any attached meeting notes (such as dial-in details and passcodes).

The LinkedIn app manages to gain access to your calendar items because it has a feature that allows you to view your calendar from within the app itself. According to security researchers Yair Amit and Adi Sharabani, the app then transmits this information to LinkedIn's servers without any clear indication to the user that this is happening—a throwback to the Path controversy that revealed the social networking app (among many others) had been transmitting users' contact lists to a remote server without explicit user consent.

Amit and Sharabani plan to present their report at a cyber security conference in Tel Aviv on Wednesday. In their report seen by Ars, they note that the information being collected by the LinkedIn app has no apparent relevance to the app's functionality, though they don't believe LinkedIn has included this functionality maliciously. "However, we are concerned by the fact it collects and sends-out sensitive information about its users, without a clear indication and consent," the researchers wrote.

LinkedIn defends itself by arguing that the calendar-viewing feature is opt-in, according to a statement given to the New York Times. "We use information from the meeting data to match LinkedIn profile information about who you’re meeting with so you have more information about that person," a spokesperson told the newspaper. Still, the company did not go into detail as to why it sends calendar data to its servers or why it doesn't make this feature obvious to users, potentially adding itself to the list of app makers being grilled on user privacy by members of Congress.

LinkedIn has now also made a blog post explaining its position on the app.

"In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles. That information is sent securely over SSL and we never share or store your calendar information," the company wrote. "In an effort to make that algorithm for matching people with profiles increasingly smarter we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes."

LinkedIn points out that it does ask for permission when accessing the calendar (though it doesn't explicitly tell users it's going to upload the data), and says the feature can be turned off at any time. LinkedIn also insists that it doesn't actually keep any of the data transmitted to its servers, and it doesn't share the data "for purposes other than matching it with relevant LinkedIn profiles."

As for what the app will do moving forward: "We will no longer send data from the meeting notes section of your calendar event. There will be a new 'learn more' link to provide more information about how your calendar data is being used." LinkedIn says these updates are already live on the Android app and will be coming to the iOS app shortly.